CVE-2021-0644Sensitive Information Exposure in Google Android

CWE-200Sensitive Information ExposureCWE-863Incorrect AuthorizationCWE-276Incorrect Default Permissions6 documents6 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 96.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Platform Frameworks BasePlatform Frameworks OPT TelephonyGoogle Android
Timeline
PublishedOct 6
Latest updateMay 24

Description

In conditionallyRemoveIdentifiers of SubscriptionController.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-181053462

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

CVEListV5google/androidAndroid-11 Android-10
NVDgoogle/android10.0, 11.0+1
Androidplatform/frameworks_base10:010:2021-09-01+1
Androidplatform/frameworks_opt_telephony10:010:2021-09-01+1

Patches

Patch: source.android.comPatch: source.android.com

🔴Vulnerability Details

3
GHSA
GHSA-x87c-8v42-cm55: In conditionallyRemoveIdentifiers of SubscriptionController2022-05-24
CVEList
CVE-2021-0644: In conditionallyRemoveIdentifiers of SubscriptionController2021-10-06
OSV
CVE-2021-0644: In conditionallyRemoveIdentifiers of SubscriptionController2021-09-01

📋Vendor Advisories

2
Android
CVE-2021-0644: Android Security Bulletin 2021-09-01 CVE: CVE-2021-0644 Severity: HIGH Type: ID Affected AOSP versions: 10, 11 References: A-181053462 [2]2021-09-01
Red Hat
cups: insecure permissions of /var/log/cups allows for symlink attacks2021-04-29
CVE-2021-0644 — Sensitive Information Exposure | cvebase